Configuring HSRP

This chapter describes how to use Hot Standby Router Protocol (HSRP) on your Catalyst 3550 switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.

Note You can also use a version of HSRP in Layer 2 mode to configure a redundant command switch to take over cluster management if the cluster command switch fails. For more information about clustering, see "Clustering Switches" and see Getting Started with Cisco Network Assistant, available on Cisco.com.

Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.

Understanding HSRP

HSRP is Cisco's standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of any single router. It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to use the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.

Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3550 routed ports and switch virtual interfaces (SVIs).

HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets. The standby router is the router that takes over the routing duties when an active router fails or when preset conditions are met.

The standby ip interface configuration command activates HSRP on a Layer 3 interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the address is learned through the standby function.

HSRP is useful for hosts that do not support a router discovery protocol and that cannot switch to a new router when the selected router reloads or loses power. When HSRP is configured on a network segment, it provides a virtual MAC address and IP address that is shared among grouped router interfaces that are running HSRP. The router selected by the protocol to be the active router receives and routes packets destined for the group MAC address. For n routers running HSRP, there are n +1 IP and MAC addresses assigned.

HSRP detects when the designated active router fails, and a selected standby router assumes control of the Hot Standby group MAC and IP addresses. A new standby router is also selected at that time. Devices running HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate active and standby routers. When HSRP is configured on an interface, Internet Control Message Protocol (ICMP) redirect messages are disabled by default for the interface.

The switch supports HSRP MAC addresses for up to 16 unique HSRP groups. Because each group address can be used on up to 16 Layer 3 interfaces, the maximum number of HSRP interfaces is 256. However, the relationship between the number of HSRP interfaces and the number of active IP routing protocols and other configured features might have an impact on CPU utilization. Because of other switch feature configurations, we recommend that you do not assign more than 64 HSRP interfaces. The switch returns an error message after a period of up to 1 minute if you exceed the HSRP MAC address limitation of 256.

Each of the 16 HSRP MAC addresses can be used by 16 consecutive Layer 3 interfaces because each address is associated with a group of VLANs by using a 4-bit mask. The mask requires that all Layer 3 interfaces be the same multiple of 16. When you create an HSRP group, you can use the same HSRP MAC address on a single Layer 3 interface, several Layer 3 interfaces that are all the same multiple of 16, or a consecutive range of 16 Layer 3 interfaces that are all the same multiple of 16.

For example, HSRP Group 1 might be assigned to interface VLANs 16 to 31, which equals the group maximum of 16 VLANs. VLAN IDs between 16 and 31 are all the same multiple of 16 (1, or 1 plus some small amount.) Therefore, if Group 1 is assigned to interface VLANs 16 to 31, only one HSRP MAC address entry is used in hardware. If Group 1 is also assigned to interface VLAN 32, an additional MAC address entry is used in hardware because it is not in the same multiple of 16 as VLANs 16 to 31.

Instead, if Group 1 is assigned to interface VLAN 16, and Group 2 is assigned to interface VLAN 17, two HSRP MAC address entries are used in hardware. Group 1 uses one MAC address entry, and Group 2 uses the other MAC address entry. If Group 1 or Group 2 are later configured on interfaces VLAN 18 through VLAN 31, an additional HSRP MAC address entry is not used because the MAC address entries for these two groups have already been created and can be used for all VLAN interfaces between 16 and 31.

The SVI VLAN ID number is the same as the interface VLAN ID number (for example, interfaceVlan 16 uses VLAN 16). For routed ports, the switch automatically assigns a VLAN ID to the interface. Assigned numbers begin at the first available VLAN above 1024. These assigned numbers are also limited to the range of 16 consecutive VLANs per group.

You can verify the VLAN ID assigned to a routed port by using the show vlan internal usage privileged EXEC command.

An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to different interfaces.

Note Identically-numbered HSRP groups use the same virtual MAC address and might cause errors if you configure bridge groups.

Figure 32-1 shows a segment of a network configured for HSRP. Each router is configured with the MAC address and IP network address of the virtual router. Instead of configuring hosts on the network with the IP address of Router A, you configure them with the IP address of the virtual router as their default router. When Host C sends packets to Host B, it sends them to the MAC address of the virtual router. If for any reason, Router A stops transferring packets, Router B responds to the virtual IP address and virtual MAC address and becomes the active router, assuming the active router duties. Host C continues to use the IP address of the virtual router to address packets destined for Host B, which Router B now receives and sends to Host B. Until Router A resumes operation, HSRP allows Router B to provide uninterrupted service to users on Host C's segment that need to communicate with users on Host B's segment and also continues to perform its normal function of handling packets between the Host A segment and Host B.

HSRP Configuration Guidelines and Limitations

•In the following procedures, the specified interface must be one of these Layer 3 interfaces:

–Routed port: a physical port configured as a Layer 3 port by entering the no switchport interface configuration command.

–SVI: a VLAN interface created by using the interface vlanvlan_id global configuration command and by default a Layer 3 interface.

–Etherchannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channelport-channel-number global configuration command and binding the Ethernet interface into the channel group. For more information, see the "Configuring Layer 3 EtherChannels" section.

•The switch supports HSRP MAC address entries in hardware for up to 16 unique HSRP groups. Because of other switch feature configurations, we recommend that you do not assign more than 64 HSRP interfaces.

•An HSRP group can use the same HSRP MAC address on a single Layer 3 interface, several Layer 3 interfaces that are all the same multiple of 16, or a consecutive range of 16 Layer 3 interfaces that are all the same multiple of 16. For more information about HSRP groups, see the "Understanding HSRP" section.

•An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to different interfaces.

•If you configure the same HSRP group on multiple VLANs, do not use bridge groups to tie the multiple interfaces together. Identically-numbered HSRP groups use the same virtual MAC address and might cause errors if you configure bridge groups.

Enabling HSRP

The standby ip interface configuration command activates HSRP on the configured interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the address is learned through the standby function. You must configure at least one routing port on the cable with the designated address. Configuring an IP address always overrides another designated address currently in use.

When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface's Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the interface is in a different state, proxy ARP responses are suppressed.

Note When multi-VRF CE is configured, you cannot assign the same HSRP standby address to two different VPNs.

Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.

Step 3

standby [group-number] ip [ip-address [secondary]]

Create (or enable) the HSRP group using its number and virtual IP address.

•(Optional) group-number—The group number on the interface for which HSRP is being enabled. The range is 0 to 255; the default is 0. If there is only one HSRP group, you do not need to enter a group number.

•(Optional on all but one interface) ip-address—The virtual IP address of the hot standby router interface. You must enter the virtual IP address for at least one of the interfaces; it can be learned on the other interfaces.

•(Optional) secondary—The IP address is a secondary hot standby router interface. If neither router is designated as a secondary or standby router and no priorities are set, the primary IP addresses are compared and the higher IP address is the active router, with the next highest as the standby router.

Step 4

end

Return to privileged EXEC mode.

Step 5

show standby [interface-id [group]]

Verify the configuration.

Step 6

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no standby [group-number] ip [ip-address] interface configuration command to disable HSRP.

This example shows how to activate HSRP for group 1 on Gigabit Ethernet interface 0/1. The IP address used by the hot standby group is learned by using HSRP.

Note This procedure is the minimum number of steps required to enable HSRP.

Switch# configure terminal

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# standby 1 ip

Switch(config-if)# end

Switch# show standby

Configuring HSRP Priority

The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for determining active and standby routers and behavior regarding when a new active router takes over. When configuring priority, follow these guidelines:

•Assigning priority helps select the active and standby routers. If preemption is enabled, the router with the highest priority becomes the designated active router. If priorities are equal, the primary IP addresses are compared, and the higher IP address has priority.

•The highest number (1 to 255) represents the highest priority (most likely to become the active router).

•When setting the priority, preempt, or both, you must specify at least one keyword (priority, preempt, or both).

•The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down.

•The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP. When a tracked interface fails, the hot standby priority on the device on which tracking has been configured decreases by 10. If an interface is not tracked, its state changes do not affect the hot standby priority of the configured device. For each interface configured for hot standby, you can configure a separate list of interfaces to be tracked.

•The standby trackinterface-priority interface configuration command specifies how much to decrement the hot standby priority when a tracked interface goes down. When the interface comes back up, the priority is incremented by the same amount.

•When multiple tracked interfaces are down and interface-priority values have been configured, the configured priority decrements are cumulative. If tracked interfaces that were not configured with priority values fail, the default decrement is 10, and it is noncumulative.

•When routing is first enabled for the interface, it does not have a complete routing table. If it is configured to preempt, it becomes the active router, even though it is unable to provide adequate routing services. To solve this problem, configure a delay time to allow the router to update its routing table.

Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.

Step 3

standby [group-number] priority priority [preempt [delaydelay]]

Set a priority value used in choosing the active router. The range is 1 to 255; the default priority is 100. The highest number represents the highest priority.

•(Optional) group-number—The group number to which the command applies.

•(Optional) preempt—Select so that when the local router has a higher priority than the active router, it assumes control as the active router.

•(Optional) delay—Set to cause the local router to postpone taking over the active role for the shown number of seconds. The range is 0 to 3600 (1 hour); the default is 0 (no delay before taking over).

Use the no form of the command to restore the default values.

Step 4

standby [group-number] [priority priority] preempt [delaydelay]

Configure the router to preempt, which means that when the local router has a higher priority than the active router, it assumes control as the active router.

•(Optional) group-number—The group number to which the command applies.

•(Optional) priority—Enter to set or change the group priority. The range is 1 to 255; the default is 100.

•(Optional) delay—Set to cause the local router to postpone taking over the active role for the number of seconds shown. The range is 0 to 36000 (1 hour); the default is 0 (no delay before taking over).

Use the no form of the command to restore the default values.

Step 5

standby [group-number] track type number [interface-priority]

Configure an interface to track other interfaces so that if one of the other interfaces goes down, the device's Hot Standby priority is lowered.

•(Optional) group-number—The group number to which the command applies.

•type—Enterthe interface type (combined with interface number) that is tracked.

•number—Enterthe interface number (combined with interface type) that is tracked.

•(Optional) interface-priority—Enter the amount by which the hot standby priority for the router is decremented or incremented when the interface goes down or comes back up. The default value is 10.

Use the no standby [group-number] track type number [interface-priority] interface configuration command to remove the tracking.

This example shows how to activate an interface as a standby router, set an IP address and a priority of 120 (higher than the default value), and a delay time of 300 seconds (5 minutes) before the router attempts to become the active router:

Switch# configure terminal

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# standby ip 172.20.128.3

Switch(config-if)# standby priority 120 preempt delay 300

Switch(config-if)# end

Configuring HSRP Authentication and Timers

You can optionally configure an HSRP authentication string or change the hello-time interval and holdtime.

When configuring these attributes, follow these guidelines:

•The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP.

•Routers or access servers on which standby timer values are not configured can learn timer values from the active or standby router. The timers configured on an active router always override any other timer settings.

•All routers in a Hot Standby group should use the same timer values. Normally, theholdtimeis greater than or equal to 3 times the hellotime.

Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP authentication and timers on an interface:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Enter interface configuration mode, and enter the HSRP interface on which you want to set authentication.

Step 3

standby [group-number] authentication string

(Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco.

(Optional) group-number—The group number to which the command applies.

Step 4

standby [group-number] timers hellotime holdtime

(Optional) Configure the time between hello packets and the time before other routers declare the active router to be down.

•group-number—The group number to which the command applies.

•hellotime—The hello interval in seconds. The range is from 1 to 255; the default is 3 seconds.

•holdtime—The time in seconds before the active or standby router is declared to be down. The range is from 1 to 255; the default is 10 seconds.

Step 5

end

Return to privileged EXEC mode.

Step 6

show running-config

Verify the configuration of the standby groups.

Step 7

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no standby[group-number] authentication string interface configurationcommand to delete an authentication string. Use the no standby [group-number] timers hellotime holdtime interface configuration command to restore timers to their default values.

This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate:

Switch# configure terminal

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# standby 1 authentication word

Switch(config-if)# end

This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds:

Switch# configure terminal

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# standby 1 ip

Switch(config-if)# standby 1 timers 5 15

Switch(config-if)# end

Configuring HSRP Groups and Clustering

When a device is participating in an HSRP standby routing and clustering is enabled, you can use the same standby group for command switch redundancy and HSRP redundancy. Use the cluster standby-groupHSRP-group-name [routing-redundancy] global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy. If you create a cluster with the same HSRP standby group name without entering the routing-redundancy keyword, HSRP standby routing is disabled for the group.

This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to be used for command switch redundancy and router redundancy. The command can only be executed on the command switch. If the standby group name or number does not exist, or if the switch is a member switch, an error message appears.

Switch# configure terminal

Switch(config)# cluster standby-group my_hsrp routing-redundancy

Switch(config)# end

Displaying HSRP Configurations

From privileged EXEC mode, use this command to display HSRP settings:

show standby [interface-id [group]] [brief] [detail]

You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface. You can also specify whether to display a concise overview of HSRP information or detailed HSRP information. The default display is detail. If there are a large number of HSRP groups, using the show standby command without qualifiers can result in an unwieldy display.

This is a an example of output from the show standby privileged EXEC command, displaying HSRP information for two standby groups (group 1 and group 100):